What is HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) is a derivative of the Hypertext Transfer Protocol (HTTP). This “protocol” is used to transfer data on the web. It’s a critical piece of how the web works to communicate between a browser and a web server.
If you’d like a more in depth break down of how the HTTPS communication works, I wrote an article on it back in 2018.
The “S” in HTTPS implies security, but should not be confused with the “security” of your website. Instead, it’s the “security” of your data as it traverses the internet. It should not be confused with the “security” of the website itself. This article will dive into that distinction and work to dispel some misunderstandings on what HTTPS offers your website, it should also highlight ways that consumers can use it as an indicator to stay safe online.
How HTTPS Works for the Laymen
To help illustrate how HTTP/S works Let’s visualize sending mail via the postal service.
HTTP is like sending a letter without an envelope – anyone who intercepts the letter can read its contents. HTTPS, on the other hand, is like sending the letter in a sealed, secure envelope. Even if someone intercepts it, they can’t read what’s inside because it’s sealed in a secure envelope.
Granted, in that analogy a user could take a knife to the envelope and open it. Yes, yes, I get it. Think of it more like the mail being delivered via armored truck. Intense!
To further expand that point. Let’s imagine we find ourselves on an online form. We type some information in (e.g., Name, Social, etc..). When the site is using HTTP, this is what gets sent over the network:
Using that same scenario, this is what HTTPS does to the same information:
You can still see something was sent, but you can’t see what was sent. This level of protection is achieved through something known as “encryption”.
Encryption scrambles information, making it unreadable without the corresponding key. That key is something a web server has.
So, when you visit a website with HTTPS, your web browser and the website server are communicating using encryption to ensure that your data (like passwords, credit card information, or personal messages) remains private and secure from prying eyes.
These days, a vast percentage of the web is already encrypted (85.3% according to w3techs) but you may still stumble on websites that are not using HTTPS. In these instances, if you value the security of your sensitive data, I recommend reaching out to the service provider and informing them of the issue and asking if there is another way to pay.
Helpful HTTPS Indicators
As an astute online citizen, here are a few things you can look for when interacting with a website:
HTTPS – Not Secure
When you visit a website that does not have HTTPS you will see messaging similar to this in your browser:
This is informing you that the website does not have HTTPS enabled. This should be a good reason to take caution. I would not interact with any forms on this website as anything submitted is likely not being managed correctly.
HTTPS – Your Connection is Not Private
Another important warning is what you might see someone has tampered with the certificate. In this instance, it might look like this:
This is helpful because it is telling you, “Hey, the web server is not responding with the corresponding certificate.”
This could be an indicator that the certificate is expire, the website owner has not done their part to fix it, or that the website is hacked and a bad actor is trying to redirect you to another website.
Either way, find another way to contact the website owner and inform them of the issue before proceeding.
HTTPS Does Not Secure a Website
Lastly, as a website owner, and consumer, it’s important you understand that the security in HTTPS speaks only to how data is being transferred from point A to point B. It protects the data from prying eyes, but does nothing to the security of the website itself and / or provides any assurances of the submitted payload is benign.
Put differently, you can visit a website with HTTPS and it can be maliciously collecting information or being used to distribute malware, spyware or being used for a number of other nefarious activities. You can also have HTTPS and your website can still be hacked, the bad actor pushing malicious payloads to your server – securely.
That being said, in today’s modern web it’s the de facto standard to use HTTPS and it’s also extremely easy with providers like Lets Encrypt. There really is no reason why your website should not have HTTPS enabled, and if you use a host that charges you for a certificate it might be a good time to find a new host. Alternatively, you can look at WAF / CDN providers like NOC to assist you in getting it configured.
While I personally dislike the false sense of security HTTPS offers the web, it’s a de facto standard in today’s modern web. It’s something we need to be familiar with and something we should be leveraging if we’re managing our own websites.